From 0062d3d5bb2d8772936c35b8bd978eb0a3a116f9 Mon Sep 17 00:00:00 2001 From: Simon Hoenscheid Date: Mon, 28 Aug 2023 23:16:35 +0200 Subject: [PATCH 1/7] flexible value for auth_method in pg_hba.conf if passwords are used --- manifests/params.pp | 2 +- manifests/server.pp | 2 +- manifests/server/instance/config.pp | 8 ++++---- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/manifests/params.pp b/manifests/params.pp index a6d3d6f370..f620d2d8ce 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -25,7 +25,7 @@ $manage_selinux = pick($manage_selinux, false) $package_ensure = 'present' $module_workdir = pick($module_workdir,'/tmp') - $password_encryption = if versioncmp($version, '14') >= 0 { 'scram-sha-256' } else { undef } + $password_encryption = if versioncmp($version, '14') >= 0 { 'scram-sha-256' } else { 'md5' } $extra_systemd_config = undef $manage_datadir = true $manage_logdir = true diff --git a/manifests/server.pp b/manifests/server.pp index fcd31bfce7..c5175a096d 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -178,7 +178,7 @@ Boolean $manage_datadir = $postgresql::params::manage_datadir, Boolean $manage_logdir = $postgresql::params::manage_logdir, Boolean $manage_xlogdir = $postgresql::params::manage_xlogdir, - Optional[Postgresql::Pg_password_encryption] $password_encryption = $postgresql::params::password_encryption, + Postgresql::Pg_password_encryption $password_encryption = $postgresql::params::password_encryption, Optional[String] $extra_systemd_config = $postgresql::params::extra_systemd_config, Hash[String, Hash] $roles = {}, diff --git a/manifests/server/instance/config.pp b/manifests/server/instance/config.pp index 4b049a8a00..25c9376526 100644 --- a/manifests/server/instance/config.pp +++ b/manifests/server/instance/config.pp @@ -70,7 +70,7 @@ Boolean $service_enable = $postgresql::server::service_enable, Optional[String[1]] $log_line_prefix = $postgresql::server::log_line_prefix, Optional[String[1]] $timezone = $postgresql::server::timezone, - Optional[Postgresql::Pg_password_encryption] $password_encryption = $postgresql::server::password_encryption, + Postgresql::Pg_password_encryption $password_encryption = $postgresql::server::password_encryption, Optional[String] $extra_systemd_config = $postgresql::server::extra_systemd_config, ) { if ($manage_pg_hba_conf == true) { @@ -105,7 +105,7 @@ type => 'host', user => $user, address => '127.0.0.1/32', - auth_method => 'md5', + auth_method => $password_encryption, order => 3; "deny access to postgresql user for instance ${name}": @@ -118,13 +118,13 @@ "allow access to all users for instance ${name}": type => 'host', address => $ip_mask_allow_all_users, - auth_method => 'md5', + auth_method => $password_encryption, order => 100; "allow access to ipv6 localhost for instance ${name}": type => 'host', address => '::1/128', - auth_method => 'md5', + auth_method => $password_encryption, order => 101; } } From 2aa0a53bf0315e5a41206bbe7fa65aad5af4560f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Simon=20H=C3=B6nscheid?= Date: Tue, 29 Aug 2023 09:14:49 +0200 Subject: [PATCH 2/7] change password_encryption method selection to selector statement Co-authored-by: Tim Meusel --- manifests/params.pp | 2 +- spec/acceptance/overridden_settings_spec.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/params.pp b/manifests/params.pp index f620d2d8ce..3a64384fe9 100644 --- a/manifests/params.pp +++ b/manifests/params.pp @@ -25,7 +25,7 @@ $manage_selinux = pick($manage_selinux, false) $package_ensure = 'present' $module_workdir = pick($module_workdir,'/tmp') - $password_encryption = if versioncmp($version, '14') >= 0 { 'scram-sha-256' } else { 'md5' } + $password_encryption = versioncmp($version, '14') ? { -1 => 'md5', default => 'scram-sha-256' } $extra_systemd_config = undef $manage_datadir = true $manage_logdir = true diff --git a/spec/acceptance/overridden_settings_spec.rb b/spec/acceptance/overridden_settings_spec.rb index 74695a49e2..107cabd518 100644 --- a/spec/acceptance/overridden_settings_spec.rb +++ b/spec/acceptance/overridden_settings_spec.rb @@ -26,7 +26,7 @@ class { 'postgresql::server': type => 'host', database => 'mydb', user => 'myuser', - auth_method => 'md5', + auth_method => $postgresql::server::password_encryption, address => '192.0.2.100/32', }, }, From 4938a20427fd7614ad82231fdf2352fc8645f506 Mon Sep 17 00:00:00 2001 From: Simon Hoenscheid Date: Wed, 30 Aug 2023 16:36:49 +0200 Subject: [PATCH 3/7] hardcode scram method --- spec/acceptance/overridden_settings_spec.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/acceptance/overridden_settings_spec.rb b/spec/acceptance/overridden_settings_spec.rb index 107cabd518..270a987094 100644 --- a/spec/acceptance/overridden_settings_spec.rb +++ b/spec/acceptance/overridden_settings_spec.rb @@ -26,7 +26,7 @@ class { 'postgresql::server': type => 'host', database => 'mydb', user => 'myuser', - auth_method => $postgresql::server::password_encryption, + auth_method => 'scram-sha-256', address => '192.0.2.100/32', }, }, From 4e4ebd6a35a60c1ac7d5e40f34ddc9a8785576d8 Mon Sep 17 00:00:00 2001 From: Simon Hoenscheid Date: Thu, 31 Aug 2023 10:30:23 +0200 Subject: [PATCH 4/7] auth method dynamically in acceptence test --- spec/acceptance/overridden_settings_spec.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/spec/acceptance/overridden_settings_spec.rb b/spec/acceptance/overridden_settings_spec.rb index 270a987094..78cbce1300 100644 --- a/spec/acceptance/overridden_settings_spec.rb +++ b/spec/acceptance/overridden_settings_spec.rb @@ -8,9 +8,9 @@ before(:all) do LitmusHelper.instance.run_shell("cd /tmp; su 'postgres' -c 'pg_ctl stop -D /var/lib/pgsql/data/ -m fast'", acceptable_exit_codes: [0, 1]) unless os[:family].match?(%r{debian|ubuntu}) end - let(:pp) do <<-MANIFEST + $auth_method = $facts['os']['release']['major'] ? { '7' => 'md5', default => 'scram-sha-256'} class { 'postgresql::server': roles => { 'testusername' => { @@ -26,7 +26,7 @@ class { 'postgresql::server': type => 'host', database => 'mydb', user => 'myuser', - auth_method => 'scram-sha-256', + auth_method => $auth_method, address => '192.0.2.100/32', }, }, From 40765d22de5b44e453097e9900e404bacb053bf3 Mon Sep 17 00:00:00 2001 From: Simon Hoenscheid Date: Thu, 31 Aug 2023 10:47:02 +0200 Subject: [PATCH 5/7] add pg_hba_auth_password_encryption parameter --- manifests/server.pp | 5 ++++- manifests/server/instance/config.pp | 10 ++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/manifests/server.pp b/manifests/server.pp index c5175a096d..ecb11fd967 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -96,7 +96,9 @@ # @param manage_logdir Set to false if you have file{ $logdir: } already defined # @param manage_xlogdir Set to false if you have file{ $xlogdir: } already defined # @param password_encryption Specify the type of encryption set for the password. -# +# @param pg_hba_auth_password_encryption +# Specify the type of encryption set for the password in pg_hba_conf, +# this value is usefull if you want to start enforcing scram-sha-256, but give users transition time. # @param roles Specifies a hash from which to generate postgresql::server::role resources. # @param config_entries Specifies a hash from which to generate postgresql::server::config_entry resources. # @param pg_hba_rules Specifies a hash from which to generate postgresql::server::pg_hba_rule resources. @@ -179,6 +181,7 @@ Boolean $manage_logdir = $postgresql::params::manage_logdir, Boolean $manage_xlogdir = $postgresql::params::manage_xlogdir, Postgresql::Pg_password_encryption $password_encryption = $postgresql::params::password_encryption, + Postgresql::Pg_password_encryption $pg_hba_auth_password_encryption = undef, Optional[String] $extra_systemd_config = $postgresql::params::extra_systemd_config, Hash[String, Hash] $roles = {}, diff --git a/manifests/server/instance/config.pp b/manifests/server/instance/config.pp index 25c9376526..2d57f0806a 100644 --- a/manifests/server/instance/config.pp +++ b/manifests/server/instance/config.pp @@ -42,6 +42,9 @@ # @param log_line_prefix PostgreSQL log line prefix # @param timezone Set timezone for the PostgreSQL instance # @param password_encryption Specify the type of encryption set for the password. +# @param pg_hba_auth_password_encryption +# Specify the type of encryption set for the password in pg_hba_conf, +# this value is usefull if you want to start enforcing scram-sha-256, but give users transition time. # @param extra_systemd_config # Adds extra config to systemd config file, can for instance be used to add extra openfiles. This can be a multi line string define postgresql::server::instance::config ( @@ -71,8 +74,15 @@ Optional[String[1]] $log_line_prefix = $postgresql::server::log_line_prefix, Optional[String[1]] $timezone = $postgresql::server::timezone, Postgresql::Pg_password_encryption $password_encryption = $postgresql::server::password_encryption, + Postgresql::Pg_password_encryption $pg_hba_auth_password_encryption = $postgresql::server::pg_hba_auth_password_encryption, Optional[String] $extra_systemd_config = $postgresql::server::extra_systemd_config, ) { + if $pg_hba_auth_password_encryption { + $override_pg_hba_auth_password_encryption = $pg_hba_auth_password_encryption + } else { + $override_pg_hba_auth_password_encryption = $password_encryption + } + if ($manage_pg_hba_conf == true) { # Prepare the main pg_hba file concat { $pg_hba_conf_path: From 1cd09f5c76aeb36957b58053a06adc4392ad40ce Mon Sep 17 00:00:00 2001 From: Simon Hoenscheid Date: Thu, 31 Aug 2023 11:07:00 +0200 Subject: [PATCH 6/7] add empty line --- spec/acceptance/overridden_settings_spec.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/spec/acceptance/overridden_settings_spec.rb b/spec/acceptance/overridden_settings_spec.rb index 78cbce1300..eef9563fbb 100644 --- a/spec/acceptance/overridden_settings_spec.rb +++ b/spec/acceptance/overridden_settings_spec.rb @@ -8,6 +8,7 @@ before(:all) do LitmusHelper.instance.run_shell("cd /tmp; su 'postgres' -c 'pg_ctl stop -D /var/lib/pgsql/data/ -m fast'", acceptable_exit_codes: [0, 1]) unless os[:family].match?(%r{debian|ubuntu}) end + let(:pp) do <<-MANIFEST $auth_method = $facts['os']['release']['major'] ? { '7' => 'md5', default => 'scram-sha-256'} From cc380023d2b8f05fc08e731e9270178e2f49eb17 Mon Sep 17 00:00:00 2001 From: Simon Hoenscheid Date: Thu, 31 Aug 2023 11:19:48 +0200 Subject: [PATCH 7/7] Set parameter optional so undef is working --- manifests/server.pp | 2 +- manifests/server/instance/config.pp | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/manifests/server.pp b/manifests/server.pp index ecb11fd967..89d45fb7d5 100644 --- a/manifests/server.pp +++ b/manifests/server.pp @@ -181,7 +181,7 @@ Boolean $manage_logdir = $postgresql::params::manage_logdir, Boolean $manage_xlogdir = $postgresql::params::manage_xlogdir, Postgresql::Pg_password_encryption $password_encryption = $postgresql::params::password_encryption, - Postgresql::Pg_password_encryption $pg_hba_auth_password_encryption = undef, + Optional[Postgresql::Pg_password_encryption] $pg_hba_auth_password_encryption = undef, Optional[String] $extra_systemd_config = $postgresql::params::extra_systemd_config, Hash[String, Hash] $roles = {}, diff --git a/manifests/server/instance/config.pp b/manifests/server/instance/config.pp index 2d57f0806a..f801d89e36 100644 --- a/manifests/server/instance/config.pp +++ b/manifests/server/instance/config.pp @@ -74,7 +74,7 @@ Optional[String[1]] $log_line_prefix = $postgresql::server::log_line_prefix, Optional[String[1]] $timezone = $postgresql::server::timezone, Postgresql::Pg_password_encryption $password_encryption = $postgresql::server::password_encryption, - Postgresql::Pg_password_encryption $pg_hba_auth_password_encryption = $postgresql::server::pg_hba_auth_password_encryption, + Optional[Postgresql::Pg_password_encryption] $pg_hba_auth_password_encryption = $postgresql::server::pg_hba_auth_password_encryption, Optional[String] $extra_systemd_config = $postgresql::server::extra_systemd_config, ) { if $pg_hba_auth_password_encryption {